Generating SAN SSL certs for CDOT using 2008 AD CS

SAN = Subject Alternative Name

The following post runs through getting SAN certificates for use with Clustered ONTAP. The lab environment has Clustered Data ONTAP 8.2.1 and a Windows 2008R2 AD CS Root CA.

What SAN Names do we want in our SSL Certificate

To make life nice and easy, we’ll just request one SAN certificate for the entire cluster, with everything we could possibly require in.

We have a simple single node cluster, with the following LIFs:

NACLU1::> net int show -field address
vserver  lif          address
-------  ------------ ------------
NACLU1   cluster_mgmt
NACLU1N1 mgmt1
NACLU1N1 rep1
NASVM1   data1
NASVM1   data2

In DNS we’ve have the following Forward Lookup Host (A) entries. In this example, NASVM1.lab.priv has 2 entries in DNS for round-robin load-balancing.

Name                   Data         ReverseDNS?
---------------------- ------------ -----------
NACLU1.lab.priv Yes
NACLU1N1.lab.priv Yes
NACLU1N1-rep1.lab.priv Yes
NASVM1.lab.priv No
NASVM1.lab.priv No
NASVM1-data1.lab.priv Yes
NASVM1-data2.lab.priv Yes

How to Create the Certificate Signing Request for CDOT

Run the command:

NACLU1::> security certificate generate-csr -common-name NACLU1.lab.priv -size 2048 -country US -state "" -locality "" -organization "" -unit "" -email-addr "it@lab.priv" -hash-function SHA256

Here the common-name is NACLU1.lab.priv (the cluster FQDN name with NETBIOS name in capitals - doesn’t really matter what the common-name is though since we’re going to append SAN names to it), the other switches are specific to organization.

An abridged output of the command is below:

Certificate Signing Request :

Private Key :

Note: Please keep a copy of your certificate request and private key for future reference.

It is important to record this output. The ‘CERTIFICATE REQUEST’ section will be provided to the Certification Authority for generation of the SSL cert. The ‘RSA PRIVATE KEY’ section will be used later when installing the certificate. Note: You will only see the complete output one time - if you later run ‘security certificate generate-csr show’ it actually creates a new CSR under the common-name ‘show’.

Copy the contents between -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- into a text file and save as say CLUSTER.CSR.

Generating the SAN Certificate with 2008 R2 AD CS

Configure the CA to issue SAN certificates using the following command in the DOS prompt on the CA (if not done so already) and restart the CA service:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Then the following command will read the CLUSTER.CSR file as prepared earlier and add all SAN extensions to it, then output the SAN certificate as CLUSTER.CER:

certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=naclu1&DNS=naclu1.lab.priv&DNS=" CLUSTER.CSR CLUSTER.CER

The above is going overboard on specifying every single DNS and NETBIOS entry used by the cluster for the SAN cert (and the cluster management IP address since logs via https://CLUSTERNAME/SPI redirects to https://CLUSTERIP/...) For the purposes of OCUM connections to the cluster management address, SPI, and logs via the node address, the following is totally sufficient:

certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=naclu1&DNS=naclu1.lab.priv&DNS=” CLUSTER.CSR CLUSTER.CER

Note 1: IE requires IP Addresses after DNS=, other browsers after IPAddress=, which explains the cluster management IP address being in there twice.
Note 2: If you’re having problems inputting the above, and have copied from this post, check the formatting of the dash and quotation marks especially (delete and retype in DOS.)

Installing the Certificate in CDOT

Run the command:

NACLU1::> security certificate install -vserver NACLU1 -type server

As prompted, copy and paste in the certificate as contained in the CLUSTER.CER file, and the private key obtained from generating the CSR earlier.

Then run the following commands to apply the SSL certificate to the Cluster (Admin) Vserver:

NACLU1::> security certificate show -vserver NACLU1
NACLU1::> ssl show -vserver NACLU1
NACLU1::> ssl modify -vserver NACLU1 -ca lab-MSCSA1-CA -serial 6167DD8400000000000B -common-name NACLU1.lab.priv

Repeat for the node and data SVMs as required.

Testing the SSL Certificate in CDOT

Test over https://CLUSTER_NETBIOS/spi.

Image: No certificate error to https://naclu1/spi

Test over the SPI to logs.

Image: No certificate error to

Check the SSL Certificate to see the Subject Alternative Name entries.

Image: SAN Entries including IP Address